This year will see an increasing focus on privacy regulations, compliance, and cloud storage – particularly on where and how you store data, as well as the obligations to protect and secure personal data.
There is also the question as to how much the EU and UK will diverge from each other in terms of the General Data Protection Regulation (GDPR) and other regulations.
The measure of this will be what the EU calls “data adequacy” – an equivalent level of personal data protection as that already provided by European law.
However, with growing geopolitical instability, there is also a need to consider how data protection regulations will change.
CSRD and how it applies to UK tech firms – The clock is ticking on CSRD – is your IT department ready?
Changing regulations may affect how data can be stored, and where it can be located. No organisation wants to suffer data loss or a data breach, and so they need to be prepared for change and for unexpected circumstances. This includes U-turns on proposed government policy, such as the UK government’s backtracking on reviewing or scrapping of European Union laws and regulations.
The Financial Times recently reported that the majority of almost 4,000 pieces of retained EU law would remain on the UK’s statute book, adding that a further 800 of them will be removed by the end of 2023. Such changes in policy, whether you are for or against Brexit, create uncertainty for businesses about how they should best invest their hard-earned money.
There are also concerns that it could lead to the loss of some key protections.
This includes how privacy regulations will be affected, particularly as there is a growing focus as to the extent the same regulations will exist across the world. For now, there is no uniformity – there are disparate regulations in jurisdictions across the globe.
There is also the question of whether true data privacy regulations actually exist.
The UK government, for example, wants to sell consumer data to large pharmaceutical companies, and it’s not the only government doing it.
The best IT compliance tools for your business – Antony Savvas looks at some of the best IT compliance tools and methods that are suitable for all types of business
Universal data protection
With no universal set of data protection and privacy regulations, data issues between the EU versus the USA continue to exist. Especially when it comes to where data is stored – data residency – and data transmission. The movement of data between the US and EU was covered by a Privacy Shield, which was designed to allow US and European Economic Area (EEA) to freely share personal data of EEA citizens, as if the US had an adequacy decision.
Both jurisdictions feel that it didn’t work well. The Court of Justice of the European Union announced that the Privacy Shield framework “does not effectively protect EEA data subjects” against the interference and usage of personal data by US intelligence authorities and declared it invalid in 2020. US President Joe Biden repealed the Privacy Shield legislation, signing an executive order on January 2020, bringing the original Privacy Shield to its natural conclusion.
The European Commission did, however, endorse its successor, Privacy Shield 2.0, last December and it was hoped this would come into effect this spring.
With growing cloud storage volumes, and the exponential increase in cyber-attacks, organisations and individuals want to know that their data is safe and secure. Cloud leaks undermine confidence that once data is in the cloud, it must be safe. As consumers in the global marketplace, wherever we shop there will be different data protections and privacy regulations. So, how do you manage those? It’s a complex task.
Steven Umbehocker, CEO of OSNEXUS, comments that GDPR is to protect consumers. It is meant to give them control over the processing and storage of their personal data.
“This provides a level of assurance that companies are handling our data with care, which in turn can protect us from cyber-attacks,” he says.
His colleague Joshua Newington-Blake, principal support engineer EMEA at OSNEXUS, adds that “it benefits the customer by allowing them to have some control where the data is stored, how it is managed and for what purpose it is used”.
America is ‘Wild West’
Yet Umbehocker says data sovereignty remains a key issue, describing the United States to be more “Wild West” than the EU when it comes to data protection and privacy regulations. This is because there is no federal GDPR equivalent, he says.
He explains that although America has disparate data regulations around healthcare and finance, there is no overarching data protection legislation. “Fortunately, that’s changing with the California Consumer Privacy Act in the US – an attempt to do something like GDPR, which is a good start.”
UK GDPR drag
There are questions about when the new UK GDPR will come into effect. In my view, it seems to be the UK government is going to give up on it, and on thousands of other EU regulations which are meant to be sunset. This makes it difficult for organisations to plan ahead, creating further data protection and privacy compliance challenges.
This uncertainty could worsen data protection and privacy. It will be interesting to see how Web 3.0 changes consumer privacy. Will we be in charge of our own data? Will people want to buy our data from us directly? This would stop people getting rich by peddling our data, but many are not skilled at securing our personal data now.
Umbehocker points out that certain types of data will be, for example, sovereign to the UK and to the EU. This depends on whether individuals or customers are UK or EU citizens. This means that certain types of data can only be stored in those jurisdictions.
He adds: “This is going to have some impact on tech companies: We need to make sure we know where the data resides and be able to dynamically move that data. This creates costly data migration challenges, and you must do it without impacting the software and platforms. The minute you start moving large amounts of data over a wide-area network [WAN], you need to do it efficiently, and that’s where WAN Acceleration comes to bear.”
In some industries, such as healthcare and financial services, the maintenance and protection of personal and sensitive data is paramount. To lose that data, or for it to be stolen, affects both their organisations and their customers. So, for compliance data needs to be encrypted at the source – essentially backed up in at least three locations. Non-compliance with GDPR because of a data breach, could also lead to significant fines of up to £17.5m under the UK GDPR, €20 million under the EU GDPR or 4 per cent of annual global turnover.
Joshua Newington-Blake says that encryption can be leveraged to help protect data. However, certain technologies such as WAN Optimisation can’t handle encrypted data – even though it is often critical.
Moreover, with data sovereignty in mind, Umbehocker explains that there may be circumstances whereby organisations may need to delete a copy of their cloud-stored data in a particular zone or move data to another jurisdiction to ensure compliance is met. This means that organisations must be fully aware of the physical location of the data, and they must have a mechanism to move it without disrupting users.
Location and WAN Acceleration
Umbehocker and Newington-Blake both conclude that the answer to protecting data by moving it fast is WAN Acceleration. If organisations don’t have the ability to move the data quickly, data transfers of voluminous data could take months, depending on the amount of data involved. WAN Acceleration with a solution such as my own company’s PORTrockIT makes this exercise much easier and faster – even with encrypted data no matter where it resides in the world.
This technology uses artificial intelligence, machine learning, and data parallelisation to mitigate the effects of latency and packet loss.
Umbehocker says: “Depending on latency, what would be done in 100 days could be done in 10 days, and this could have a huge impact on cloud strategy. It offers more agility and elasticity.
“When things have changed, such as a change in laws due to Brexit, and you don’t have a data transfer rate which can accommodate – your organisation could end up facing some significant fines. It’s about being flexible, and that can be achieved with WAN Acceleration.”
The quicker you can move data, the more protection you have; the less chance there will be for the data to be intercepted. Faster transfers will help enable organisations to achieve data compliance when it comes to privacy and protection, while permitting data to reside at a distance, anywhere in the world.
David Trossell is CEO and CTO of Bridgeworks
More on data compliance
How the regulation of big tech can affect your business – The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business